Fixes

Author: aamini7

scenarios/AksOpenAiTerraform/README.md

@@ -11,50 +11,39 @@ ms.custom: innovation-engine, linux-related-content
 ## Provision Resources
 Run terraform to provision all the required Azure resources
 ```bash
-# DELETE
-export EMAIL="ariaamini@microsoft.com"
-export SUBSCRIPTION_ID="b7684763-6bf2-4be5-8fdd-f9fadb0f27a1"
+# Terraform parses TF_VAR_* (Ex: TF_VAR_xname -> xname)
+export TF_VAR_location="westus3"  
+export TF_VAR_kubernetes_version="1.30.7"
+export TF_VAR_model_name="gpt-4o-mini"
+export TF_VAR_model_version="2024-07-18"
 
-# Define input vars
-export LOCATION="westus3"
-export KUBERNETES_VERSION="1.30.7"
-export AZURE_OPENAI_MODEL="gpt-4o-mini"
-export AZURE_OPENAI_VERSION="2024-07-18"
-
-# Run Terraform
-export TF_VAR_location=$LOCATION  # $TF_VAR_example_name will be read as var example_name by terraform.
-export TF_VAR_kubernetes_version=$KUBERNETES_VERSION
-export TF_VAR_model_name=$AZURE_OPENAI_MODEL
-export TF_VAR_model_version=$AZURE_OPENAI_VERSION
-export ARM_SUBSCRIPTION_ID=$SUBSCRIPTION_ID  # Used by terraform to find sub.
 terraform -chdir=infra init
-terraform -chdir=infra apply
-
-# Save outputs
-export RESOURCE_GROUP=$(terraform -chdir=infra output -raw resource_group_name)
-export WORKLOAD_IDENTITY_CLIENT_ID=$(terraform -chdir=infra output -raw workload_identity_client_id)
-export AZURE_OPENAI_ENDPOINT=$(terraform -chdir=infra output -raw openai_endpoint)
-export ACR_LOGIN_URL=$(terraform -chdir=infra output -raw acr_login_url)
-export IMAGE="$ACR_LOGIN_URL/magic8ball:v1"
+terraform -chdir=infra apply -auto-approve
 ```
 
-# Login to AKS
+## Login to Cluster
 ```bash
+RESOURCE_GROUP=$(terraform -chdir=infra output -raw resource_group_name)
 az aks get-credentials --admin --name AksCluster --resource-group $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID
 ```
 
-## Build Dockerfile
+## Deploy
 ```bash
+## Build Dockerfile
+ACR_LOGIN_URL=$(terraform -chdir=infra output -raw acr_login_url)
+IMAGE="$ACR_LOGIN_URL/magic8ball:v1"
 az acr login --name $ACR_LOGIN_URL
 docker build -t $IMAGE ./magic8ball --push
-```
 
-# Deploy App
-```bash
-envsubst < quickstart-app.yml | kubectl apply -f -
+# Apply Manifest File
+export IMAGE
+export WORKLOAD_IDENTITY_CLIENT_ID=$(terraform -chdir=infra output -raw workload_identity_client_id)
+export AZURE_OPENAI_DEPLOYMENT=$(terraform -chdir=infra output -raw openai_deployment)
+export AZURE_OPENAI_ENDPOINT=$(terraform -chdir=infra output -raw openai_endpoint)
+envsubst < quickstart-app.yml | kubectl apply -f -```
 ```
 
-# Wait for public IP
+## Wait for public IP
 ```bash
 kubectl wait --for=jsonpath="{.status.loadBalancer.ingress[0].ip}" service/magic8ball-service
 PUBLIC_IP=$(kubectl get service/magic8ball-service -o=jsonpath="{.status.loadBalancer.ingress[0].ip}")

scenarios/AksOpenAiTerraform/infra/main.tf

@@ -79,12 +79,11 @@ resource "azurerm_user_assigned_identity" "workload" {
 }
 
 resource "azurerm_federated_identity_credential" "this" {
-  name                = "FederatedIdentity"
-  resource_group_name = azurerm_resource_group.main.name
-
+  name                = azurerm_user_assigned_identity.workload.name
+  resource_group_name = azurerm_user_assigned_identity.workload.resource_group_name
+  parent_id           = azurerm_user_assigned_identity.workload.id
   audience  = ["api://AzureADTokenExchange"]
   issuer    = azurerm_kubernetes_cluster.main.oidc_issuer_url
-  parent_id = azurerm_user_assigned_identity.workload.id
   subject   = "system:serviceaccount:default:magic8ball-sa"
 }
 
@@ -99,11 +98,6 @@ resource "azurerm_cognitive_account" "openai" {
   kind                          = "OpenAI"
   custom_subdomain_name         = "magic8ball-${local.random_id}"
   sku_name                      = "S0"
-  public_network_access_enabled = true
-
-  identity {
-    type = "SystemAssigned"
-  }
 }
 
 resource "azurerm_cognitive_deployment" "deployment" {
@@ -121,6 +115,15 @@ resource "azurerm_cognitive_deployment" "deployment" {
   }
 }
 
+resource "azurerm_role_assignment" "cognitive_services_user" {
+  scope                = azurerm_cognitive_account.openai.id
+  role_definition_name = "Cognitive Services OpenAI Contributor"
+  principal_id         = azurerm_user_assigned_identity.workload.principal_id
+  principal_type       = "ServicePrincipal"
+  
+  skip_service_principal_aad_check = true
+}
+
 ###############################################################################
 # Networking
 ###############################################################################

scenarios/AksOpenAiTerraform/infra/outputs.tf

@@ -12,4 +12,8 @@ output "acr_login_url" {
 
 output "openai_endpoint" {
   value = azurerm_cognitive_account.openai.endpoint
+}
+
+output "openai_deployment" {
+  value = azurerm_cognitive_deployment.deployment.name
 }

scenarios/AksOpenAiTerraform/magic8ball/app.py

@@ -6,11 +6,10 @@
 from azure.identity import DefaultAzureCredential, get_bearer_token_provider
 
 deployment = os.getenv("AZURE_OPENAI_DEPLOYMENT")
-api_version = os.environ.get("AZURE_OPENAI_VERSION")
 azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT")
 
 client = AzureOpenAI(
-    api_version=api_version,
+    api_version="2024-10-21",
     azure_endpoint=azure_endpoint,
     azure_ad_token_provider=get_bearer_token_provider(
         DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default"

scenarios/AksOpenAiTerraform/quickstart-app.yml

@@ -4,9 +4,7 @@ metadata:
   name: magic8ball-configmap
 data:
   AZURE_OPENAI_ENDPOINT: $AZURE_OPENAI_ENDPOINT
-  AZURE_OPENAI_MODEL: $AZURE_OPENAI_MODEL
-  AZURE_OPENAI_DEPLOYMENT: $AZURE_OPENAI_MODEL
-  AZURE_OPENAI_VERSION: $AZURE_OPENAI_VERSION
+  AZURE_OPENAI_DEPLOYMENT: $AZURE_OPENAI_DEPLOYMENT
 ---
 apiVersion: apps/v1
 kind: Deployment